{"id":16101483,"url":"https://github.com/mendhak/keepass-and-keeagent-setup","last_synced_at":"2025-10-05T03:42:46.639Z","repository":{"id":141195299,"uuid":"66723703","full_name":"mendhak/keepass-and-keeagent-setup","owner":"mendhak","description":"Security setup instructions for using KeePass with KeeAgent for SSH keypairs","archived":false,"fork":false,"pushed_at":"2019-07-27T22:03:24.000Z","size":657,"stargazers_count":47,"open_issues_count":2,"forks_count":7,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-12T06:38:45.580Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://code.mendhak.com/keepass-and-keeagent-setup/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mendhak.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-08-27T16:18:09.000Z","updated_at":"2024-04-15T22:24:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"1c71e940-92bf-4d6a-9e33-8012eb3b6a05","html_url":"https://github.com/mendhak/keepass-and-keeagent-setup","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fkeepass-and-keeagent-setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fkeepass-and-keeagent-setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fkeepass-and-keeagent-setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fkeepass-and-keeagent-setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mendhak","download_url":"https://codeload.github.com/mendhak/keepass-and-keeagent-setup/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247419640,"owners_count":20936009,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-09T18:50:03.457Z","updated_at":"2025-10-05T03:42:46.511Z","avatar_url":"https://github.com/mendhak.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Using KeePass with KeeAgent\r\n\r\nWhile KeePass is generally used for storing credentials, it can also be used to store SSH keys as well as *serve* those SSH keys when applications need it.\r\n\r\nIt's a good idea to use SSH keys when connecting to remote servers rather than username/passwords.  It's also a good practice to generate a keypair for each server you connect to - including when performing remote `git` operations.  \r\n\r\nOver time though, the number of keys you need to manage and remember can grow.  There are various ways to solve this, including SSH `.config` files.  KeePass is one way to go about this, by using KeePass and the KeeAgent plugin, we can use the KeePass database as a container for our keys and have it serve when needed.  This has the advantage that the SSH keys are synced with the KeePass database.      \r\n\r\n\r\n## Install things\r\n\r\n\r\n### KeePass\r\n\r\nEnsure [KeePass Professional Edition](http://keepass.info/download.html) is installed.  You may want to consider using the *portable* edition, and syncing the entire KeePass installation along with your `.kdbx` across your machines.  For example, you could have the KeePass installation in your Google Drive, which includes config file and a plugins folder.  This way, your settings and plugins will carry across machines, reducing the setup required. \r\n\r\n![gdrive](assets/keepass-in-gdrive.png)  \r\n\r\n### Git Bash\r\n\r\nGit Bash isn't just the `git` command as most people use it, it's actually a collection of very useful and familiar utilities such as `grep`, `vi`, `awk`, `cut`, but most importantly `ssh` and `scp`.  Have a look at *C:\\Program Files\\Git\\usr\\bin* to get an idea of what you can use.\r\n\r\n![git-bing](assets/git-bin-folder.png)\r\n\r\nWhen installing [Git Bash](https://git-scm.com/downloads), I'd recommend the options for using Git from the Windows Command Prompt, and line endings being 'as is'.\r\n\r\n### KeeAgent\r\n\r\nInstall [KeeAgent](http://lechnology.com/software/keeagent/#Download) - it's a simple matter of placing the `KeeAgent.plgx` file in the KeePass plugins folder.\r\n\r\n![plgx](assets/keeagent-install-plgx.png)\r\n\r\nYou will need to reopen KeePass for the plugin to appear.  \r\n\r\n### Add keys to your remote Git account\r\n\r\nA common use case for SSH is accessing your Github or Bitbucket account over `ssh` instead of `http`.   \r\n\r\n![gitclone](assets/github-clone.png)\r\n\r\nAs a prerequisite, [add your public key](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/) to your account.\r\n\r\n![githubssh](assets/ssh-key-paste.png)\r\n\r\n_____\r\n\r\n## Store your keys\r\n\r\nContinuing with the Github example, create a new entry to hold the key.  If the private key has a password on it, enter it in the password field. \r\n\r\n\r\n![keeagent1](assets/keepass-ssh-key-1.png)\r\n\r\nNow for the keys.  Click on the *Advanced* tab and choose to attach files. \r\n\r\n![keeagent2](assets/keepass-ssh-key-2.png)\r\n\r\nFind your SSH keypair for your remote server and attach them\r\n\r\n![keeagent3](assets/keepass-ssh-key-3.png)\r\n\r\n\r\n### Load your key with KeeAgent\r\n\r\nClick on the KeeAgent tab. Check the *Allow KeeAgent to use this entry* option.  From the *Attachment* option, choose the private key that you attached just a while ago.\r\n\r\nYou should see the *Key Info* section populate with some information about your keys.  \r\n\r\n![keeagent4](assets/keepass-ssh-key-4.png)\r\n\r\nAt this point KeeAgent knows about your key but hasn't loaded it.  For the key to be loaded, either reopen the KeePass database, or double click on the *SSH Key Status* column to change the status from *Not Loaded* to *Loaded*\r\n\r\n![keeagent5](assets/keepass-ssh-key-5.png)\r\n\r\nAnother way to check which keys are loaded is by *Tools* \u003e *KeeAgent*\r\n\r\n![keeagent6](assets/keepass-ssh-key-6.png)\r\n\r\n### Tell Git Bash to use KeeAgent\r\n\r\nAlthough KeeAgent is now ready to serve the keys, Git Bash needs to be told about it.  If you open Git Bash now and try a quick test, you should get an error.\r\n\r\n\u003e$ ssh -T git@github.com  \r\n\u003ePermission denied (publickey).\r\n\r\nGo back to KeePass, and click *Tools* \u003e *Options...* and then click the *KeeAgent* tab. Choose to *Show a notification...*, and more importantly check the boxes in the *Cygwin/MSYS Integration* area.  Add a path such as *C:\\Temp\\cyglockfile* and *C:\\Temp\\syslockfile* or any arbitrary file name you want.  This will create socket files, which is a Unix concept - it allows applications to talk to each other through a file.  In this case, Git Bash will communicate with KeePass through one of these two socket files.\r\n\r\n![keeagent7](assets/keepass-ssh-key-7.png)  \r\n\r\nAgain, close and reopen KeePass, then head over to *C:\\Temp* or whichever path you specified.  You should see your socket files there. \r\n\r\n![keeagent8](assets/keepass-ssh-key-8.png)  \r\n\r\nUsing your text editor, or even `vi` in Git Bash, edit/create the `~/.bashrc` file.  This would correspond to *C:\\users\\username\\\\.bashrc* \r\n\r\n    vi ~/.bashrc\r\n\r\nAdd the following line to it - it will set the `SSH_AUTH_SOCK` environment variable, pointing at the socket file.  This is what Git Bash needs to know. \r\n\r\n    export SSH_AUTH_SOCK=\"C:\\Temp\\cyglockfile\"\r\n\r\nClose and reopen Git Bash.  Then try your test again.  If it works, you should see a message from Github, and a notification that a key was used.  If it doesn't work, try again with the other file (syslockfile) instead.  \r\n\r\n![keeagent9](assets/keepass-ssh-key-9.png)\r\n\r\nTry out a few `git` commands - `git clone` (with the non-http URL), `git fetch` and `git push`.  In each case it should use the key and show you a notification.\r\n\r\n\r\n### Don't load every key\r\n\r\nBack in the load step, we left the *Add key to agent when database is opened/unlocked* option checked. \r\n\r\n![keeagent10](assets/keepass-ssh-key-10.png)\r\n\r\nThis tells KeeAgent to load this key up whenever this KeePass database is opened.  But if you have around 5 or more keys loaded, your authentication may fail.  This is because SSH Agents work by trying to use every loaded key until it finds one that works.  Many SSH servers don't like this and will close the connection if it sees around 5 or more attempts.  \r\n\r\nYou should only check the above option for frequent use keys, and a Git server key is a good example.  \r\n\r\nFor occasional use keys, you can double click the *SSH Key Status* column to load them only when you're about to use it, and even unload a few others.\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmendhak%2Fkeepass-and-keeagent-setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmendhak%2Fkeepass-and-keeagent-setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmendhak%2Fkeepass-and-keeagent-setup/lists"}